02-02-2015 11:23 PM
I am stuck a bit with an issue, need your help to solve this.
We have a master-local setup of 6 controller. 1 controller is master all other are local.
APs terminate on all the controllers.
I have enabled this feature " Deny inter-user traffic" and "Deny inter-user bridging" on all the 6 controller. Hence when 2 users are connected to APs terminating on same controller they are not able to ping.
This is an expected behavior and we need this feature.
The problem is seen, when one user terminating on AP going to controller 1 and the other user terminating on AP going to controller 2. They are able to ping. The 2 end users have the IP addresses from the same subnet.
It is like a security breach ...
hence let me know how do I resolve this. Is there any other feature like " Deny inter-user traffic" which can disable the communication between the guests that are connected to different controllers.
Controllers are running with 220.127.116.11 code as of now.... If required we can upgrade....
02-03-2015 01:13 AM - edited 02-03-2015 01:15 AM
U May create your own access role , that look like this (in each controller)
*Do it under the user role to your users are getting*
*Do 2 set of rules*
Dont forget to apply & save in the end.
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
02-03-2015 01:36 AM
Yes, we need PEF license to create and apply any roles and policies. Policies always applied at the Local ( where the AP is terminated) hence PEF license is required in all the controllers wherever user traffic is getting processed .
Hope you got some more clarity.
Please feel free for any further query on this.
[Is my post helped you ? Give Kudos :) ]
02-03-2015 04:09 AM
i had a ticket open for this: users from two different controllers being able to see each other (with an arp scan or such) while deny interface user routing / bridging was turned on. support told me this isn't possible to block at this moment.
do remember that actual useful communication on layer 2 isn't that easy most applications will use IP and that will be blocked. of course if your users want it bad enough there are probably methods.
you can also work around this to have your user from different controller end up in different subnets. then only using control lists is enough.